b'                         OFFICE OF THE INSPECTOR GENERAL\n                          CORPORATION FOR NATIONAL AND\n                                COMMUNITY SERVICE\n\n\n\n\n                      RECOMMENDED IMPROVEMENTS TO THE\n                       CORPORATION\'S INTERNAL CONTROLS\n                     FISCAL YEAR 2000 - MANAGEMENT LETTER\n\n                              OIG Audit Report Number 01-02\n                                     March 1,2001\n\n\n\n\n                                           Prepared by:\n\n                                           KPMG LLP\n                                       2001 M Street, N.W.\n                                      Washington, D.C. 20036\n\n                      Under the Corporation for National and Community Sewice\n                                   Purchase Order # 200008020002\n                                    GS Contract # GS-23F-8127H\n                                         Task Order # 00-01\n\n\n\n\nThis report was issued to Corporation management on July 13, 2001. Under the laws and\nregulations governing audit follow up, the Corporation is to make final management decisions on\nthe report\'s findings and recommendations no later than January 9, 2002, and complete its\ncorrective actions by July 13, 2002. Consequently, the reported findings do not necessarily\nrepresent the final resolution of the issues presented.\n\x0c                                                                                            CORPORATION\n\n                                  Office of the Inspector General                            FOR NATIONAL\n                                 Corporation for National Services\n\n\n              Recommended Improvements to the Corporation\'s Internal Controls\n                         Fiscal Year 2000 - Management Letter\n                                   OIG Report 01-02\n\n\nThe Office of the Inspector General, Corporation for National Service, engaged KPMG LLP to audit the\nCorporation\'s fiscal year 2000 financial statements. Their audit, conducted in accordance with\ngovernment auditing standards, resulted in an unqualified opinion on the Corporation\'s financial\nstatements. OIG Audit Report 01-01, Audit of the Corporation for National and Community Service\'s\nFiscal Year 2000 Financial Statements, describes the basis for the opinion as well as the material\nweaknesses, other reportable internal control conditions, and compliance issues found as a result of the\naudit.\n\nDuring the engagement, the auditors also noted other matters involving the Corporation\'s internal\ncontrols that were not considered material weaknesses or reportable conditions. This report, the\nmanagement letter, discusses these conditions and includes recommendations for corrective action. OIG\nhas reviewed the report and work papers supporting its conclusions and agrees with the findings and\nrecommendations presented.\n\nWe provided a draft to the Corporation for review and comment. In its response, Appendix B, the\nCorporation agrees with certain of the findings and recommendations, but disagrees with others. In order\nto address certain of the concerns expressed in the Corporation\'s response, KPMG revised the report by\neliminating portions of two findings and revising the wording of others.\n\n\n\n\n                                                                                        Inspector General\n                                                                                        1201 New York Avenue, NW\n                                                                                        Washington, DC 20525\n\x0c                          Office of the Inspector General\n                  Corporation for National and Community Service\n\n        Recommended Improvements to the Corporation\'s Internal Controls\n                    Fiscal Year 2000 - Management Letter\n\n\n                                                                              Page No.\nKPMG Transmittal Letter                                                              1\n\nAppendix A -\nRecommended Improvements to the Corporation\'s Internal Controls\n\nGrants Management\n\nA.l     An automated method of reconciling between PMS and Momentum\n        currently does not exist. *\n\nA.2     Grant Files continue to lack required documentation. *\n\nA.3     Procedures for Administrative Close-out of DVSA Grants are not\n        consistently performed. *\n\nNational Service Trust\n\n        Trust voucher processing lacks a tracking system and established\n        time frame for payment issuance. *\n\n        Controls over educational award payments should be strengthened.\n\n        Controls over accuracy of information entered into SPAN should be\n        improved.\n\n        Member enrollment and end-of-term forms on file are not always\n        properly completed and approved timely.\n\n        Certain Members inappropriately received service awards."\n\n        The Trust Award liability calculation incorrectly included certain pending\n        Members.\n\n        The roster confirmation process was ineffective during FY2000."\n\n\n*   Represents comment repeated from prior year(s)\n\x0c                                                                                   Page No.\n\nContent of Annual Financial Report                                                    8\n\nC.l     Additional improvements in the content of the Corporation\'s Annual\n        Financial Report should be made. *\n\nRevenue from Reimbursable Agreements\n\nD.l     Receipts are not consistently deposited and recorded in a timely manner. *\n\nD.2     Cost share agreements are not consistently established in Momentum\n        in a timely manner.\n\nD.3     Demand letters are not consistently sent on delinquent receivables.\n\nD.4     The Corporation\'s methodology for aging receivables needs improvement.\n\nInformation Technology                                                                11\n\nE.l     Incomplete disaster recovery plan testing.\n\nE.2     Inadequate Internal Control Assessment for Momentum at the National\n        Business Center.\n\nE.3     Shared Momentum System Administration Account.\n\nE.4     Lack of proper access controls for WBRS.\n\nProcurement and General Expenses\n\nF.l     The Corporation\'s cut-off policy for recording liabilities for goods and\n        services received, but not paid at year end, should be revised.\n\nF.2     Duplicate vendor codes should be deleted from Momentum.\n\n\n*   Represents comment repeated from prior year(s)\n\x0c                                                                            Page No.\n\nHuman Resources                                                                14\n\n        Controls over processing of payroll and maintenance of supporting\n        documentation should be improved.*\n\n        National Civilian Community Corps member application files are\n        incomplete. *\n\n        Controls over National Civilian Community Corps payroll could be\n        improved.\n\n        VISTA member files are incomplete. *\n\n        Inaccurate information is entered into VMS for VISTA members.\n\n        Approval of Federal payroll reconciliation is not secured by a\n        cryptography system. *\n\nNet Position\n\nH.l     Expired obligations are not consistently de-obligated.\n\n\nAppendix B - Corporation Response\n\n*   Represents comment repeated from prior year(s)\n\x0c            2001 M Street, N.W.\n            Washington, DC 20036\n\n\n\n\nInspector General\nCorporation for National and Community Service:\n\nWe have audited the fiscal year 2000 financial statements of the Corporation for National and\nCommunity Service, and have issued our report thereon, dated March 1, 2001.\n\nIn planning and performing our audit, we considered the Corporation\'s internal control over\nfinancial reporting by obtaining an understanding of the internal controls. We determined\nwhether these internal controls had been placed in operation, assessed control risk, and\nperformed tests of controls in order to determine our auditing procedures for the purpose of\nexpressing our opinion on the financial statements, not to provide assurance on internal\ncontrol over financial reporting.\n\nAs a part of obtaining reasonable assurance about whether the Corporation\'s financial\nstatements were free of material misstatement, we performed tests of the Corporation\'s\ncompliance with certain provisions of laws and regulations, noncompliance with which could\nhave a direct and material effect on the determination of financial statement amounts, and\ncertain other laws and regulations. Our report on internal control over financial reporting and\non compliance with laws and regulations based on an audit of the financial statements,\nperformed in accordance with Government Auditing Standards, identified those matters we\nconsidered to be reportable conditions.\n\nDuring our audit, we also noted certain matters involving internal control over financial\nreporting and other operational matters that are not considered reportable conditions. These\ncomments and recommendations are presented in Appendix A to this letter for the\nCorporation\'s consideration, and are intended to improve internal control over financial\nreporting or result in other operating efficiencies. To the extent prior year comments have\ncontinuing relevance, we have incorporated these comments into those presented in\nAppendix A. Our audit procedures were designed primarily to enable us to form an opinion\non the Corporation\'s financial statements, and therefore may not bring to light all weaknesses\nin policies or procedures that may exist.\n\nThe Corporation\'s responses to our comments and recommendations are presented in\nAppendix B. In order to address certain of the concerns expressed in the Corporation\'s\nresponse, we have eliminated portions of two of the original comments and have clarified the\nwording of two others.\n\n\n\n\n1111          KPMG LLP KPMG LLP a U S l m ~ t e dlhablllty partnershp is\n              a member of KPMG lnteinatonal a S w s s assocatlon\n\x0cThis report is intended solely for information and use of the United States Congress, the\nPresident, the Director of the Office of Management and Budget, the Comptroller General of\nthe United States and the Corporation for National and Community Service and its Inspector\nGeneral, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\n\n\nMarch 1,200 1\n\x0c                                                                                Appendix A\n\n\n\n                            Office of the Inspector General\n                    Corporation for National and Community Service\n\n         Recommended Improvements to the Corporation\'s Internal Controls\n                    Fiscal Year 2000 - Management Letter\n\n\nGrants Management\n\nA.l      An automated method of reconciling between PMS and Momentum currently does\n         not exist.\n\nAn automated method of reconciling between PMS and Momentum currently does not\nexist. Although the Corporation has made improvements to the reconciliation process, it\nis still a manual process, which is prone to human error and will become more\ncumbersome as DVSA grants are migrated over to the Payment Management System\n(PMS).\n\nWe recommend the Corporation implement an automated system of reconciliation\nbetween PMS and Momentum.\n\nA.2       Grant Files continue to lack required documentation.\n\nAs part of our audit of the Corporation\'s grants management process, we selected and\nreviewed 78 each of active NCSA and DVSA grant files to ascertain whether controls\nover obtaining and maintaining required documentation to support grant awards were\nfunctioning as designed. We noted the following exceptions:\n\nNCSA grant files:\n\n      Eleven Program Officer\'s Certifications were not completed or signed.\n      Ten Grant Officer\'s Certifications were not completed or signed.\n      Twenty-six FSRs were submitted late or not received from the grantee.\n      Two award documents were not completed or signed.\n      Eleven files did not contain a copy of the grant terms and provisions.\n      Twenty files did not contain a copy of the grant application to provide evidence of\n      appropriate approval by Corporation officials (20); signature of the Executive\n      Director for state commission grants (8); or compliance with matching and budget\n      requirements (8).\n      Two Fund Certifications were not complete or signed.\n      Two award amounts in the grant file did not agree with the amount recorded in\n      Momentum.\n      Thirty files did not contain a completed Award Tracking Spreadsheet or Grant\n      Distribution Checklist.\n\x0c                                                                 Appendix A, Continued\n\n\nDVSA grant files:\n\n   One application (SF-424) was not in the file.\n   Twelve service center checklists were not signed by service center staff. This\n   occurred primarily at the Southern (Atlanta) service center.\n   Five files did not include a service center checklist.\n   One service center checklist was not fully completed.\n   One Notice of Grant Awards (NGA) award year did not agree with the application\n   form or information in Momentum.\n   Twenty-one NGA\'s were not mailed 33 days prior to the award start date for grants\n   starting before 6/9/00.\n   Five NGA\'s were not mailed 10 days prior to the award start date for grants starting\n   after 6/9/00.\n   One file revealed that disbursements were made prior to the mailing of the NGA.\n   One file revealed that the same staff person approved and entered the transaction in\n   Momentum.\n   One Procurement Request was not signed by the Grants Management Officer or the\n   Budget Analyst.\n\nThe foregoing exceptions are evidence of noncompliance with the Corporation\'s Grant\nManagement Guidelines. Missing, incomplete, or inaccurate file documentation makes\nit difficult to review matters concerning grantees should questions arise, or during grant\nclose out procedures.\n\nWe continue to recommend the Corporation strengthen its controls over the completeness\nof grant files by enforcing the use of file completeness checklists. Compliance with these\nprocedures should be monitored by supervisory spot checks of grant files. Follow-up\nprocedures to obtain missing documents or correct errors noted in the files should also be\nestablished.\n\nA.3      Procedures for Administrative Close-out of DVSA Grants are not consistently\n         performed.\n\nBased on our review of 35 expired DVSA grants, we noted the following:\n\n      Three files did not have evidence that a closing reconciliation was performed.\n      One file did not include a final FSR. The final FSR was due December 31,2000.\n      Five grants were not closed within the required 180 days.\n      One close-out form was not signed by the service center staff.\n      Six checklists for grantee completion of programmatic requirements were not located\n      in the file. The Corporation had only requested information from the grantees for two\n      of the six.\n\nThese are similar to the types of exceptions noted in our prior year audits. By not\nconsistently and timely performing closeout procedures, the Corporation risks not\n\x0c                                                                 Appendix A, Continued\n\n\nidentifying excess amounts advanced to grantees that should be returned to the\nCorporation.\n\nWe continue to recommend that the Corporation develop a consistent method for\nidentifying expired grants and for administratively closing these grants in a timely\nmanner. Review and follow-up procedures by the Service Centers and headquarters\nshould be implemented to ensure Program Offices respond to correspondence and that\ngrants are closed timely.\n\nNational Service Trust\n\nB.l     Trust voucherprocessing lacks a tracking system and established time frame for\n        payment issuance.\n\nAs noted in the prior year, the Corporation has established an informal goal for\nprocessing Trust payment vouchers within 15 days of receiving a properly completed\npayment voucher. However, no formal guidelines exist to identify what time frame\nactually constitutes payments on a timely basis. Further, because the Corporation does\nnot track vouchers received and their current status, we were unable to determine the\nreason for any noted untimely payments.\n\nOf the 88 fiscal year 2000 Trust payments selected for test work, 32 payments (36\npercent) were not made within 25 days of the lending or educational institution\'s sign-off\ndate. Because the vouchers did not contain date stamps to indicate the dates received by\nthe Corporation, we used a 25 day period from the date the institution approved the\nvoucher until the date payment was made to assess timeliness, allowing 10 days for\ndelivery to the Corporation.\n\nWe continue to recommend that the Corporation include, in its written policies, the time\nframe in which Trust payment vouchers should be processed, and take action to enforce\nthe time frame established. In addition, the Corporation should institute a system to track\nvouchers it receives to assist the Corporation in identifying the current status of vouchers\n(e.g., returned to grantee for further information, date revised voucher was received,\napproved and forwarded for payment processing, etc) and when they should be paid.\n\nB.2      Controls over educational award payments should be strengthened.\n\nDuring our review of 88 disbursements from the National Service Trust, we noted the\nfollowing:\n      Two payments were made to incorrect institutions.\n      One part-time member was paid an additional $700 over and above the Corporation\n      approved award amount for a part-time member.\nThe payments to the incorrect institutions were detected by the institutions when the\npayments were received and sent back to the Corporation for correction. Although the\n\x0c                                                                   Appendix A, Continued\n\n\noverpayment to the part-time member was identified by cluster representatives, the\ninstitution was not contacted until the time of our review to recover this amount.\n\nWe recommend that controls over disbursements from the National Service Trust be\nstrengthened to include an independent review of payments to ensure the correct amounts\nand institutions are paid. Additionally, controls over overawards should be improved to\nensure they are adequately monitored and recovered within a reasonable time.\n\nB.3      Controls over accuracy of information entered into SPAN should be improved.\n\nDuring our test work over the National Service Trust, we noted that information was\nincorrectly entered into the SPAN database as follows:\n       For seven of 78 enrollment forms tested, information such as birth date, enrollment\n      status and enrollment date, was entered incorrectly.\n      For 34 of 72 end-of-term forms tested, information such as social security number\n      (3), completion date (16), hours of service (14) and enrollment status (4), was either\n      entered incorrectly or could not be determined according to the documentation\n      available for review.\n\nAlthough the effect of the exceptions noted was not considered material, inaccurate\ninformation in SPAN could result in errors when future educational award payments are\nrequested and in the computation of the National Service Trust liability for financial\nstatement purposes. We recommend an independent review of information entered into\nSPAN be performed by a second individual and compared to source documentation to\nensure its accuracy.\n\nB.4      Member enrollment and end-ofterm forms on file are not always properly\n         completed and approved timely.\n\nWe noted the following exceptions during our review of Member file documentation:\n      Twelve of 72 members did not sign or date their end-of-term forms.\n      Four of 70 end-of-term forms had no certifying official\'s signature.\n      Two of 78 enrollment forms were not signed by a certifying official.\n      For thirteen of 65 end-of-term forms where a date was included for the certifying\n      official\'s signature, the time lag between the service completion date and the date the\n      certifying official signed the form was over one month.\nWhere paper forms are still used to document enrollment and end-of-term data, we\nrecommend Member files be subject to a periodic review to ascertain that all forms are\ncomplete, and properly signed and approved. We also recommend that certifying\nofficials be required to indicate their approval within a 30-day period following Member\nsign off and the service completion date.\n\x0c                                                                   Appendix A, Continued\n\n\nB.5      Certain Members inappropriately received service awards.\nOur tests of the SPAN database included a computer assisted audit technique for a\ncomparison of the enrollment date to the completion date for all members who earned\nservice awards. As a result of these procedures, we noted that:\n      Three Members earned part-time education awards who did not complete service in\n      less than two years, as required by law. Completing part-time service in excess of\n      two years is allowable in certain cases (e.g., for members who properly suspended\n      service or enrolled in an institution of higher education). However, the\n      documentation provided to us did not identify the reasons for the extended periods of\n      service in these cases.\n      One VISTA Member earned a full-time education award who did not complete\n      service in less than one year.\nWe recommend all potential awards be rechecked prior to entry into SPAN to ensure the\naward was earned within the time period required. Any exceptions to the time\nrequirement should be properly justified and formally documented in the Member\'s file.\n\nB.6      The Trust Service Award liability calculation incorrectly included certain pending\n         Members.\n\nAs a part of our audit of the Trust Service Award liability, we determined that certain\npending members included in the calculation were not valid as follows:\n\n      For seven of twenty items reviewed, no enrollment forms were received for the\n      Members to be enrolled. These pending Members were deleted from the SPAN\n      database at the time of our review.\n\n      For six of the twenty items reviewed, the pending Members had been previously\n      enrolled in two service projects and therefore were not eligible to receive another\n      education award.\n\nAlthough the effect of including these pending Members was immaterial (approximately\n$7,500), the exceptions indicate that greater care should be taken in monitoring the\npending Member information in SPAN. We recommend a periodic review of all pending\nMembers be made to determine continued eligibility and appropriate action taken to\ndelete or otherwise resolve any exceptions noted.\n\nB.7       The roster confirmation process was ineffective during FY2000.\nAlthough the Corporation is phasing out the roster confirmation process due to the\nimplementation of the Web Based Reporting System (WBRS), we noted the process\ncontinued to be ineffective as a control over information entered into SPAN when used\nduring fiscal year 2000. Exceptions noted included failure of grantees to return roster\nconfirmations to the Corporation and failure to input corrections noted on roster\nconfirmation responses; thus nullifying the purpose of the confirmation process. Until\nWBRS is fully implemented at all Corporation grantee locations and alternative controls\n\x0c                                                                    Appendix A, Continued\n\n\nare in place to ensure Member data input to SPAN is accurate, we continue to\nrecommend the Corporation emphasize the importance of the confirmation process as a\nkey control over the accuracy of the SPAN database.\n\nContent of Annual Financial Report\n\nC.l      Additional improvements in the content of the Corporation \'s Annual Financial\n         Report should be made.\n\nDuring fiscal year 2000, the Corporation\'s financial statements were compiled from its\nnew general ledger system, Momentum, which greatly improved the overall efficiency of\nthe financial statement preparation process. The Corporation is continuing to make\nenhancements to Momentum, by making preparation for and implementing additional\nsystem modules and modifying the existing general ledger module to better serve its\nfinancial management needs.\n\nWe recommend the Corporation consider the following specific improvements in its\nfinancial reporting process and in the content of the annual financial report:\n\n      Refine the cost accounting module incorporated within Momentum to accumulate\n      direct and indirect costs related to each major program (i.e., ArneriCorps, Learn &\n      Serve, Senior Corps). The cost accounting module should include a means to\n      aggregate and allocate administrative and other overhead costs (such as office rent\n      and data processing) among the programs. A separate cost category for general and\n      administrative costs should also be maintained for costs that are otherwise not\n      allocable to specific programs.\n\n      Report Trust and Gifi fund financial information separately within the audited\n      financial statements. Although the FY2000 Annual Report included information\n      specific to the Trust and Gift funds in management\'s discussion of financial results,\n      the information was not incorporated as a discrete part of the audited financial\n      statements. We continue to believe the Corporation\'s financial statements should\n      report the operations of the Trust and Gift Funds separately, either on the face of, or\n      in a note to, the financial statements to enhance their usefulness to the readers. We\n      suggest combining the Trust Fund\'s financial statement disclosures, other NCSA-\n      required reporting and other relevant statistics into a format that will facilitate\n      understanding and analysis of the Trust Fund\'s operations by Congress and other\n      financial statement users.\n\n      Aggregate expenses by major program on the face of the statement of operations and\n      changes in net position. Present a supplemental schedule of program costs that would\n      separately report grant expenses and other costs by object class for each major\n      program.\n\n      Consider the recommendations made in a separate report issued to the Corporation on\n      the applicability and advisability of reporting the Corporation\'s financial operations\n\x0c                                                                  Appendix A, Continued\n\n\n      in compliance with the requirements of OMB Bulletin No. 97-01, Form and Content\n      of Agency Financial Statements. Federal entities, like the Corporation, which had\n      been reporting under Financial Accounting Standards Board (FASB) accounting\n      standards prior to Federal Accounting Standards Advisory Board (FASAB)\n      recognition by the AICPA as an official standard setting body for federal agencies,\n      have been permitted to continue to report under the FASB standards until the FASAB\n      issues an official ruling on this matter. However, since the Corporation receives most\n      of its funding from annual appropriations from Congress, reporting under the\n      requirements of OMB Bulletin No. 97-01, as amended, may be a preferable and more\n      meaningful reporting method for the users of the financial statements.\n\nRevenue from Reimbursable Agreements\n\nD.l      Receipts are not consistently deposited and recorded in a timely manner.\n\nOur tests of receipts revealed one instance out of 43 fiscal year 2000 receipts tested\nwhere receipts were deposited 13 business days after initial receipt. Corporation policies\n#1001, Cash Receipts, and #1002, Cash Receipts-Regional Service Centers, state that\nreceipts should be deposited timely, preferably daily, but always within Treasury\nDepartment guidelines (i.e., within 5 business days of receipt).\n\nIn order to improve the safeguarding of Corporation assets and the timely reporting of all\nfinancial transactions, we recommend the Corporation enforce the deposit of receipts\nwithin 5 business days, as prescribed by Treasury Department guidelines.\n\n\nD.2       Cost share agreements are not consistently established in Momentum in a timely\n          manner.\n\nThe Corporation did not establish cost share obligations in Momentum timely, as follows:\n\n          Six of 45 cost share agreements tested were not established in Momentum until\n          after the beginning of the agreement period.\n\n          Budgeted amounts for five of 45 agreements tested were not re-established in\n          Momentum after year-end. During January 2001, Momentum was upgraded and\n          those budgeted amounts could not be re-established due to system problems\n          which prevented their re-entry. However, adequate time (approximately three\n          months) passed between year-end and the system upgrade to allow the budget\n          information to be entered.\n\nWe recommend the Corporation monitor and ensure compliance with its Cost Share Final\nProcedures to ensure accurate and timely recording of all cost share obligations.\n\x0c                                                                    Appendix A, Continued\n\n\nD.3    Demand letters are not consistently sent on delinquent receivables.\n\nEight of twenty receivable accounts tested were delinquent (i.e., outstanding more than\n30 days) as of September 30,2000; however, no demand letter had been sent to one of\nthe debtors to inform the debtor of the delinquency. Thus, no interest, penalties or\nadministrative charges were assessed on that debt. Corporation Policy #400, Debt\nCollection, requires that a demand letter be sent by the Corporation when a receivable\nbecomes delinquent. If it has not been paid by the date specified in the demand letter\n(usually 30 days), a delinquent debt is subject to interest, penalties and administrative\ncharges. An uncollectible debt must also be forwarded to Treasury\'s Financial Management\nServices (T-FMS) for further debt collection action if there is no resolution after 180 days.\n\nWe recommend the Corporation run a report to assess delinquency of accounts receivable\nand send demand letters where appropriate on a monthly basis. The Corporation should\nfurther run an exception report to determine which delinquent receivables have not been\nsent a demand letter on a monthly basis to ensure proper notification is provided to the\ndebtors.\n\nD.4     The Corporation\'s methodology for aging receivables needs improvement.\n\nSound business practice suggests that the "begin date" for the aging of receivables is the due\ndate specified on each invoice and that penalties and interest are assessed based on this date.\nThis practice provides "incentive" for the debtor to pay invoices timely and ensures that the\nreceivable is properly aged based on the due date specified on the invoice for purposes of\ncalculating the allowance for doubtfbl accounts.\n\nAlthough the Corporation bills cost share agreements quarterly, the Corporation does not\nsend demand letters until after the end of the agreement period. Such receivables are not\nconsidered delinquent until two demand letters have been sent. Thus, no interest\npenalties are assessed on cost share receivables until 90 days after the date of the final\ninvoice, when interest is retroactively calculated as of the 6othday after final invoicing.\nFor example, the 1" quarter billings of a one year cost share agreement would be twelve\nmonths old before being classified as delinquent.\n\nThe Corporation also does not commence the aging of receivables for cost share agreements\nuntil the final date of invoicing. Thus, the 1" quarter billings of a one year cost share\nagreement would be nine months old before the Corporation starts to count the number of\ndays outstanding for purposes of calculating the allowance for doubtful accounts (i.e., the\ndate of final invoicing is considered "day one" for aging purposes).\n\nWe recommend the Corporation review and revise its cost share accounting policies to\nuse the due date specified on each invoice as the "begin date" for aging of receivables and\nassessing penalties and interest.\n\x0c                                                                    Appendix A, Continued\n\n\n\nInformation Technology\n\nE.l      Incomplete disaster recovevyplan testing.\n\nThe Corporation\'s disaster recovery plan has not been tested for over a year, although we\nunderstand the Corporation plans to conduct a test later in 2001. Federal Information\nProcessing Standards (FIPS) Publication 87, Guidelinesfor ADP Contingency Planning,\nSection 4 states that:\n\n      "one of the more important aspects of successful contingency planning is the\n      continual testing and evaluation of the plan itself, Quite simply, a plan, which has not\n      been tested, cannot be assumed to work. Likewise, a plan documented, tested once\n      and then filed away to wait the day of need provides no more than a false sense of\n      security. Data processing operations are, historically, volatile in nature, resulting in\n      frequent changes to equipment, programs, documentation, customer requirements,\n      and often even in the way daily business is conducted. These actions make it critical\n      to consider the plan in the same context, i.e., one in which frequent changes occur. A\n      plan quite adequate today may be woefully unsatisfactory 2 months, or less, from\n      now. Suffice to say, that if the ADP contingency plan is not subjected to continual\n      and rigorous management review as well as to in depth testing on a scheduled basis it\n      will fail when needed."\n\nWe recommend that the plan be re-evaluated and tested regularly (i.e. annually) to\nincrease the likelihood that the efficient recovery of IT resources will be possible in the\nevent of a disaster. As a result of testing as well as the implementation of hardware and\nsoftware changes in the IT environment, the disaster recovery plan should be updated\naccordingly.\n\nE.2       Inadequate Internal Control Assessmentfor Momentum at the National Business\n          Center.\n\nThe National Business Center (NBC) does not have a current SAS-70 report that\naddresses its clientlserver environment on which the Momentum application used by the\nCorporation is run. A readiness evaluation has been performed at NBC, and a SAS-70\nreport addressing its clientlserver environment, and the Momentum application, is\nexpected to be performed during the second quarter of 2001.\n\nThe AICPA has promulgated SAS No.70, Audits of Sewice Organizations, to provide\nguidance for reviewing the controls in place at service organizations. A SAS No. 70\nreport provides an opinion on the assertions made by a service organization\'s\nmanagement about their internal controls. These reports are intended for use by the client\nand its auditors in assessing control risk.\n\nWe recommend that the Corporation notify NBC of its interest in receiving a copy of the\nplanned SAS-70 report when it is completed. Expressions of such client interest may\n\x0c                                                                Appendix A, Continued\n\n\nhelp ensure NBC periodically re-performs the SAS-70 procedures to provide reasonable\nassurance to its customers that the procedures in place at NBC are operating effectively.\nAdditionally, we recommend that the Corporation request detailed descriptions of the\nprocedures used at NBC for the maintenance and recovery of the Momentum application\nand its related data.\n\nE.3    Shared Momentum System Administration Account.\n\nThree employees within the Office of Information Technology (OIT) have been\nauthorized to perform system administration duties for the Momentum application.\nHowever, while there are only three individuals with administrative access, two of them\nshare a single account.\n\nFederal Information Processing Standards (FIPS) Publication 73, Guidelines for Security of\nComputer Applications, Section 3.2.1 Requirements for Identity VerzJication states.. .\n"Users should be uniquely identified so that they can be held responsible for their\nsubsequent activities-it is usually not enough just to verify that the user is one of the\nauthorized users. The only cases where it may not be necessary to have distinct\nverification test for each individual occur when:\n\n       All approved users of a given interface are allowed to perform any of a (possibly\n       restricted) set of actions\n       There is no need to keep records of who performed what actions."\n\nWe recommend that individual accounts be set up for all personnel, including those with\nsystem administration privileges to provide for user accountability.\n\nE.4    Lack ofproper access controls for WBRS.\n\nThe following access control deficiencies in violation of OMB Circular A- 130 were found:\n\n       WBRS password entry attempts are not limited to three attempts; an individual\n       may reload the login window and try to gain access indefinitely.    Multiple failed\n       attempts do not trigger a freezing of the account to defend the system against\n       unauthorized access.\n\n       Even though the training and help materials suggest that users should use\n       passwords that are at least six characters long, there is no enforcement. Users\n       were found with passwords of five character lengths.\n\n        WBRS does not automatically log off after a period of 30 minutes of inactivity.\n\nWe recommend the Corporation:\n        Initiate a task to upgrade password management for WBRS that supplements the\n        local blocking of multiple unsuccessful password attempts with a freezing of the\n        account pending an authenticated call by the account holder.\n\x0c                                                                     Appendix A, Continued\n\n\n       Initiate a task to upgrade password management for WBRS that enhances the\n       code to check the length of new passwords.\n       Initiate a task to upgrade the WBRS code so it will log off an account after 30\n       minutes of inactivity.\n\nProcurement and General Expenses\n\nF.1    The Corporation\'s cut-offpolicy for recording liabilities for goods and services\n       received, but not paid at year end, should be revised.\n\nDuring our search for unrecorded liabilities, we identified 17 items totaling $8 15,188 that\nshould have been recorded as liabilities at year-end. Upon investigation, we noted that\nthe Corporation did not accrue liabilities at year-end unless Corporation personnel had\nofficially accepted the purchased items or services before October 1,2000, even if the\ngoods or benefits of the services were received prior to year end. The Corporation\nsubsequently recorded an adjustment to properly recognize the $815,188 as a liability at\nSeptember 30,2000.\n\nPer Statement of Financial Accounting Concepts No. 6, paragraph 35, liabilities are\n"probable future sacrifices of economic benefits arising from present obligations of a\nparticular entity to transfer assets or provide services to other entities in the future as a\nresult of past transactions or events." The date of actual receipt of the goods or services\nwould therefore take precedent over any internally mandated practice of "official\nacceptance" prior to recording a liability.\n\nIn order to ensure all liabilities are recorded in the proper period, we recommend the\nCorporation revise its policy to make its official acceptance date the same as the date the\ngoods or services are received.\n\nF.2     Duplicate vendor codes should be deleted from Momentum.\n\nAs part of extended procedures performed over vendor files during the fiscal year 2000\naudit, we obtained a listing of all disbursements recorded in Momentum from September\n1999 through September 2000. We sorted this listing by vendor code, scanned it, and\ndetermined that 37 vendor codes corresponded to more than one vendor profile.\n\nThis situation typically results from the correction of information in the vendor profile.\nWhen corrections are made, the original vendor information is required to be deactivated\nor deleted. However, in 4 of the 37 cases noted above, the original vendor information\nhad not been deactivated or deleted until we identified the problem. As a result,\ndisbursements could have been made using the incorrect vendor information.\n\nWe recommend that the Corporation implement procedures to periodically review vendor\ncodes to ensure that only one active vendor profile is associated with each vendor code.\n\x0c                                                                  Appendix A, Continued\n\n\nHuman Resources\n\nG.l      Controls over processing of payroll and maintenance of supporting\n         documentation should be improved.\n\nDuring our internal control test work related to payroll we noted the following matters\nrequiring management attention:\n\n      Three of 83 Notzfication of Personnel Action forms (SF-50) did not include the\n      signature of the Employment and Training Manager indicating her approval.\n      Corporation policy requires that the Employment and Training Manager approve all\n      SF-50s.\n      For one employee, $3 12.10 was deducted for retirement benefits under the Federal\n      Employees Retirement System (FERS) instead of $50.61.\n      For one employee, $6.20 was deducted for Federal Employees Group Life Insurance\n      premium (FEGLI) instead of $1 1.78.\n      Four of 78 timesheets were not signed by a timekeeper to indicate review for\n      technical accuracy. Corporation policy requires that all timesheets be signed by a\n      timekeeper.\nWe recommend Corporation policies regarding required payroll documentation be\nreemphasized to all payroll personnel. Additionally, we recommend a review of payroll\ndeductions and other amounts included on the payroll register be performed on a periodic\nbasis by someone independent of the regular payroll accountant to identify and correct\nany noted errors.\n\nG.2      National Civilian Community Corps (NCCC) member applicationjZes are\n         incomplete.\nDuring our test work over the fiscal year 2000 NCCC payroll process, we noted that 33\nof the 78 member\'s application files were incomplete as follows:\n      For 7 members, there were no background checks on file.\n      For 1 member, there was no W-4 on file.\n      For 16 members, the certifying official did not sign the enrollment forms.\n      For 1 member, the certifying official did not sign the agreement or enrollment form.\n      For 8 members, there were no application forms on file.\nCorporation policy requires a complete application file that includes application forms,\ncertifying official\'s signature on the enrollment form and service agreement, background\ninvestigation, and a W-4 for all NCCC members.\nWe recommend the Corporation reemphasize the importance of maintaining accurate and\ncomplete NCCC Member files. Additionally, periodic spot checks of the completeness\nand accuracy of files should be made by NCCC supervisors.\n\x0c                                                                  Appendix A, Continued\n\n\n\nG.3      Controls over National Civilian Community Corps payroll could be improved.\nDuring our test work over NCCC members during fiscal year 2000, we noted the\nfollowing payroll processing exceptions:\n   One of 30 Members selected from pay period 14 was paid $90.72 instead of $129.60.\n   One of 37 Members selected from pay period 21 was paid $818.40 instead of\n   $142.56.\n   Four of the 37 members enrolled in pay period 21 were not included in the pay\n   register for that period.\nProper internal controls require that payments made to NCCC members be reviewed for\naccuracy by an authorized person. We recommend an independent review of payroll\ndeductions and other amounts included on the NCCC payroll register be performed on a\nperiodic basis by someone independent of the regular payroll accountant to identify and\ncorrect any noted errors.\n\nG.4      VISTA memberJiles are incomplete.\nDuring our review of 78 VISTA member files for fiscal year 2000, we noted that files\nwere incomplete as follows:\n\n      Fourteen application forms were not signed by the State Program Director or\n      Regional Program Director.\n      Nine application and sponsor evaluation forms were not included in the member file.\n      One application form was not signed by the Member.\n      Seven files did not have completed health questionnaire or health benefits forms.\n      Six terminated VISTA member files did not contain Future Plan forms.\n      Nine Stipend/Education forms were not signed by the State Director\n      Properly completed Sponsor verification forms were not included in all files reviewed\n      (sixteen missing forms; eleven forms not submitted timely, one form with incorrect\n      Member\'s name)\nCorporation policy requires a complete application file that includes completed health\nquestionnaire or health benefits form, Future Plan form, sponsor evaluation and\nverification forms, stipendleducation form that is signed by State Program Director and\napplication form that includes both State Program Director and member signature.\nWe recommend the Corporation reemphasize to all personnel the importance of\nmaintaining accurate and complete VISTA Member files. Additionally, periodic spot\nchecks of the completeness and accuracy of files should be made by VISTA supervisors.\n\x0c                                                                Appendix A, Continued\n\n\nG.5    Inaccurate information is entered into VMSfor VISTA members.\nDuring our test work over VISTA members, we noted that information was incorrectly\nentered in VMS as follows:\n   For 8 of the 49 Future Plans forms reviewed, the termination date was incorrectly\n   entered into VMS.\n   For 3 of the 78 items selected, the stipendleducation award election was incorrectly\n   entered into VMS.\nProper internal controls require that data entered into the VMS system is complete,\naccurate and supported by source documentation. We recommend an independent review\nof information entered into VMS be performed by a second individual and compared to\nsource documentation to ensure its accuracy.\n\n\nG.6    Approval of Federal payroll reconciliation is not secured by a cryptography\n       system.\nDuring the NFC PC-TARE payroll reconciliation process, the reconciliation is signed by\nboth the Personnel Management Specialist (preparer) and the Labor and Employee\nRelations Team Leader (reviewer) by means of scanned-in-signatures. The signatures are\nnot secured.\nTrue electronic signatures, as part of a public key cryptography system, can only be used\nby the person to whom it belongs. Improper use is detected by means of a cryptographic\nalgorithm.\nAdequate control procedures include the safeguarding of approval signatures maintained\nin electronic or stamp form.\nWe recommend the Corporation secure approval of Federal payroll reconciliation\nsignatures by a cryptography system.\n\nNet Position\n\nH.l    Expired obligations are not consistently de-obligated.\n\nDuring our procedures over obligations open at September 30,2000, we noted that 7 of\n79 items selected should have been deobligated at year end. The Corporation posted an\nadjustment in the amount of $362,821 to the FY 2000 financial statements to deobligate\nthese items.\n\nCorporation policy requires that remaining obligations are to be deobligated when final\npayments are made on non-grant items and 180 days after the grant award periods expire\nfor grant-related obligations.\n\nWe recommend the Corporation institute measures to ensure prompt and accurate de-\nobligation of expired obligations.\n\x0c                                                                                                                                               Appendix B\n                                                                                                  CORPORATION\n\n                                                                                                  FOR NATIONAL\n\n\n\n\n    DATE:                             June 22,200 1\n\n    TO:                               Luise Jordan, Inspector General\n\n    FROM:                             William Anderson, Deputy Chief Financial Officer\n\n    SUBJECT:                          Comments on June 18 draft of OIG Report 01-02, Recommended Improvements\n                                      to the Corporation\'s Internal Controls - FY 2000 Financial Statement Audit\n                                      Management Letter\n\n\n            The Corporation has reviewed the draft management letter containing suggestions for\n    improving internal controls and is pleased to note that two areas for improvement that appeared\n    in the fiscal 1999 management letter: Laws and Regulations, and Property and Equipment are\n    no longer considered areas in which improvements are needed. The Corporation is providing\n    detailed responses to each of the suggestions in other areas below.\n\n    A. Grants Management\n\n    Summary of Finding:\n\n            The management letter stated that the Corporation does not currently have an automated\n    method of reconciling between the Payment Management System (PMS) and Momentum;\n    grant files were not complete; and administrative closeout procedures of Domestic Volunteer\n    Service Act (DVSA) grants are not routinely performed.\n\n    Corporation Comments:\n\n    Automated System o f Reconciliation\n\n            The Corporation developed an automated system for reconciling PMS and Momentum\n    and is currently testing it. Using Visual Basic for Access Program, the Corporation performs\n    an automated comparison of authorizations reported in the monthly PMS Synchronization\n    Report with the obligated amount recorded in Momentum. The report generated from this\n    comparison identifies the differences between the two systems by document number and fiscal\n    year. The Corporation will continue to refine the program logic to minimize timing\n    differences. The estimated completion date is December 2001.\n\n    Grant Files\n\n            The Corporation has implemented supervisory spot check procedures for grant files and\n    will re-emphasize the importance of following them. Follow-up procedures are also in place to\n\n\n\n\nNATIONAL SERVICE: GElTlNG THINGS DONE                                                                       1201 New York Avenue, N.W. Washington, D.C. 20525\n,   ~ W!I<   I   . ~: t i r v ~I V , / \\ W~ C , 1111or[,.~l\n                                                 ~    ~     \\~ d t : , m~ , ~ iw l l l o y   w r !,,(\'\n                                                                                                 ~ i OW     telephone: 202-606-5000 website: www.nationalsenice.org\n\x0c                                                                       Appendix B, Continued\n\n\n\nobtain missing documents. For example, for all National Community Service Act (NCSA)\ngrants the files are reviewed each year during the a w x d process to ensure that all required\ndocumentation is included in the file. However, the Corporation will need to review the\nauditor\'s working papers and evidence supporting the auditor\'s conclusion to analyze the\nexceptions noted because its review of the NCSA files tested by the auditors does not agree\nwith the results reported in the management letter.\n\n         Specifically, the Corporation\'s records agree with those of the auditors\' in only one of\nthe 1 1 categories of exceptions noted. For example, the finding notes that 10 of 78 files did not\ncontain a grant officer\'s certification for a specific grant amendment. However, in at least five\nof those cases, a certification is not required because the amendment was issued for a de-\nobligation or a no-cost extension. Those circumstances were discussed with the auditors during\nthe course of the audit.\n\n          In addition, the auditors stated that missing, incomplete or inaccurate file\ndocumentation makes it difficult to review matters corlcerning grantees should questions anss.\nor during grant close out procedures. However, the Corporation reviewed the items that v..er-2\nidentified as missing from the files and determined that most were not necessary to answer\nquestions about or close out grants. Most of the missing documents were items such as the\nchecklists of file contents. In these cases, there were no required documents missing from the\nfile, just the checklist that confirms that all documentation is in the file.\n\n        Documents such as Financial Status Reports (FSRs), which would affect the\nCorporation\'s ability to answer questions or close out grants, were missing in only seven of a\ntotal of 156 files tested. In most of those cases, the file documented that the FSR was late and\nthat grants staff was following up to obtain it. Grantees are responsible for submitting FSRs\nand some do not submit them in a timely manner. Therefore, at any given point in a grant\ncycle, an FSR may be missing and standard procedures are in place to secure the missing\ndocuments. Grants staff follow-up with grantees to obtain missing FSRs and withhold\npayments to grantees in cases of excessive delinquency.\n\nClose Out of Grants\n\n        The Corporation has implemented policies and procedures for close out of grants that\nboth service center and headquarters staff follow. The Corporation is also in the process of\nclosing out all expired NCSA grants and expects to complete the process early in fiscal 2002.\nThe Corporation does not believe that the conditions found created a risk that funds due to the\nCorporation might not be identified and returned. Most of the auditor\'s findings were related to\nissues that would not affect proper reconciliation of amounts due to the Corporation, such as\nmissing checklists or signatures or missed deadlines. Of the 35 expired grants reviewed, only\none was missing a document (an FSR) that might affect amounts due, and only three others did\nnot contain verification of the reconciliation.\n\n        The most common finding was that a closeout checklist was not included in the file.\nHowever, the checklist procedure was implemented during the year and files of grants closed\nout before implementation would not have contained it. In addition, timeliness is directly\naffected by the number of grants to be closed. Current practice requires that all 1800 DYSA\n\x0c                                                                           Appendix B, Continued\n\n\n\ngrants be closed out each year. The Corporation agrees that, although grants are closed out,\nthey are not always closed within the targeted 180 days. Therefor?, as the Corporation moL.es\nthe DVSA grants to the Department of Health and Human Services\' payment system, grant\nterms, and thus closeout activities will be spread over a three-year period, which will allow\nmore timely, consistent close outs.\n\nB. National Service Trust\n\nSummary of Finding:\n\n         The management letter stated that Trust voucher processing lacks a tracking system and\ntime frame for payment issuance; controls over educational award payments should be\nstrengthened; controls over accuracy of information entered into SPAN should be improved;\nmember enrollment and end-of-term forms on file are not always properly completed and\napproved timely; certain members inappropriately received service awards; the service award\nliability calculation incorrectly included certain pending members; and the roster confirmation\nprocess was ineffective during fiscal 2000.\n\nCorporation Comments:\n\nProcessinn Vouchers Timelv\n\n        In previous audit findings, the auditors recommended that the Corporation institute a\nvoucher processing tracking system that would identify the status of vouchers. In response to\nthis finding, the Corporation instituted a date stamp system in August 2000. Each educational\naward payment voucher and interest voucher is date stamped on the day it is received into the\nTrust. The auditor\'s sample was selected primarily from forms received prior to\nimplementation of the date stamp procedure.\n\n         In discussions with the auditors, the auditors stated that they used the date on which the\ninstitution signed the form as the basis for when the "clock starts." As previously explained,\ninstitutions will frequently hold vouchers and send them in large numbers several days, weeks.\nor even months aAer they have signed them. For example, while the auditors were on site, the\nCorporation tested the last 20 vouchers received by the Trust on February 14, and examined the\ndates that the institutions signed them. The dates ranged from February 9, 2001 to August 23.\n2000, or !?om 5 days to 5 months before the Corporation received them. Therefore, the\nCorporation does not agree with the conclusion that disbursements were made more than 25\ndays after receipt.\n\nControls Over .4ward Pavments\n\n       The finding states that $700.00 was paid to an incorrect institution because cluster\nrepresentatives can override system flags. In fact, the payment was made to the wrong\ninstitution simply due to human error. To correct this error, a system flag was appropriutel~,\novenidden. The Trust made over 43,000 payments in fiscal 2000. Although the Corporation\n\x0c                                                                      Appendix B, Continued\n\n\nstrives for 100 percent accuracy, it knows of no cost-effective payment system that does not\nhave some errors.\n\n       The report also states that one payment was made to an institution before the requested\npayment date. However, by regulation, payments are scheduled to amve at the institution by\nthe beginning date of the enrollment period (and midpoint, if there are two installments),\nregardless of what date the member or the school requests. If payments are $1,500.00 or less,\nthe Corporation does not split the payment, as it is not cost effective for the Trust to do so.\nThus, the payment was properly processed.\n\nControls Over Accuracv o f SPAN\n\n        Data that the Trust receives via the Web-Based Reporting System (WBRS), is\nconsidered to be the official source of information and is considered to be the correct data,\nunless the Trust is notified by the program of an error. Auditors compared enrollment and exit\ndata in SPAN with data on paper enrollment and exit forms maintained at program sites, which\nmay not have had the most current, updated information on them. However, award eligibility I S\nbased on data that is entered into WBRS by authorized program personnel. Award amounts.\nwhich are the basis of the Service Award Liability, are determined by the total hours sened.\nThe official information that the Trust has is not taken from paper sources. unless the program\ndoes not use WBRS.\n\n        The auditors reported that for 9 of the 88 disbursements tested, the requested payment\ndate on the voucher was incorrectly entered into SPAN. As explained to the auditors, the\ndefault payment date in SPAN is always "today\'s" date. For example, if a payment were\nrequested for a school enrollment that began in September, the September date would not be\nentered. Because the enrollment in school has already occurred, the payment should go out\nimmediately. The default date would automatically appear creating an immediate payment. It\nis unnecessary and would be wastehl to change the default date to last September.\n\nMember Forms\n\n       The enrollment and end of term forms were developed prior to WBRS, when these\nforms were the official means for transfemng enrollment and exit information to the Trust.\nNow that WBRS is the official source of this information, the forms are unnecessary for\nprograms in WBRS. On both the enrollment and end of term forms, the only information the\nmember enters is their name, social security number and addresses. The member enters no\ninformation that would affect the eligibility for or the amount of an education award. There is a\nsignature line on the form that has no corresponding statement or declaration. The member is\nnot authorizing, verifying or certifying anything by signing the form.\n\n       Officials who enter enrollment and exit data into WBRS have been given the authority\nto enter and/or approve that information through the security measures found in WBRS. Each\none has a password. Approving the enrollment or exit data in WBRS is comparable to\ncertifying the accuracy of the information. In addition to the official certification within\nW R S , it would be redundant and time consuming to require a signature on an unofficial form.\n\x0c                                                                        Appendix B, Continued\n\n\n         In the related Notification of Findings and Recommendations, the auditors state that the\neffect is that the Corporation may have paid an education award to a member who was not\neligible to receive one. However, education awards are issued only to members who are\neligible for awards, as duly certified by an official through WBRS. There is no more of a\nchance for a person to mistakenly receive an award if the Trust receives the approval through\nW R S , than there would be if the Trust receives the approval through a paper form.\n\n        In addition, there is no relationship between when a member fills out their name and\naddress and signs the end of term form and when the certifying official does. The member\'s\nportion of the form simply needs to be completed by the time the exit data is entered into\nWBRS. Members can do this 10, 20, or 60 days before they complete their service. The Trust\nhas no policy regarding this, nor is one needed.\n\n        The report states that for 20 percent of the items reviewed, the certifying official signed\nthe form more than 30 days after the member completed service. This delay would be a cause\nfor concern if the Trust still relied upon paper end of term forms as the source for transfemng\nexit information to the Trust. However, the current requirement is that exit information must\nbe entered into W R S within 30 days of the member completing service. Since the end of term\nforms are for the program\'s own files, they could have gone back to sign them well after the\ndata was downloaded to the Trust.\n\n         ArneriCorps Staternational members are enrolled and exited via WBRS, with some\nminor exceptions for programs that are not currently in W R S . WBRS information is\ndownloaded directly into the Trust\'s database. The Corporation relies upon the WBRS system\nto fulfill OMB requirements that agencies institute "paperless" systems. If programs are forced\nto return enrollment and exit forms to the Trust, the effect of a paperless system will be\neliminated.\n\nInaupropriate Sewice Awards\n\n        Members are able to serve up to three years in a part time term of service if\nconcurrently enrolled in school (as authorized by the Corporation\'s legislation). The\nresponsibility for this requirement lies with the Commission and National Direct organizations.\nThe findings states that the auditors did not obtain documentation from a program identifying\nwhere three members served at the time of their enrollment. However, the Corporation noted\nthat since the ArneriCorps program itself was a university, it is likely that they were students.\n\n        In addition, a VISTA who serves for less than a year should not earn a full time award.\nAwards are given to full time VISTAS if they successfully complete their service in one year.\nIf they serve slightly more than one year, that does not affect the amount of their award. In the\ninstances cited in the report, the Trust correctly granted education awards to the members.\n\x0c                                                                       Appendix B, Continued\n\n\nSome Pending Members Incorrectlv Included in Service Award Liability\n\n        Even though a third term member is in the pending category, it does not necessarily\nmean that s h e is not eligible for an award for that term. By statute, an individual may receive\nan education award only for the first and second terms in an approved national service position.\nAn approved national service position is one for which one of the benefits is an education\naward. Some terms of service do not meet the definition of an approved national service\nposition. These include, for example, a term that ends before the individual has completed 15\npercent of the required hours, provided the member has not engaged in misconduct; and a term\nin which the member has elected to receive a post-service cash stipend instead of an education\naward.\n\n        If one of the member\'s other two terms did not meet the definition of an approved\nnational service position, that previous term would not "count" and the member would be\neligible for an award for this third term. As for the "members" who did not have enrollment\nforms for program year 1994, the Corporation never counted these people as members; they\nwere classified as pending, and eventually deleted from the database. At the end of fiscal 2000,\nthe service award liability estimate was $191,985,000. Thus, a potential overstatement of\n$7,500 would be considered to be a negligible amount and does not constitute an internal\ncontrol weakness.\n\nRoster Confirmation Process\n\n        The condition states that not all of the rosters mailed during the roster reviews were\nreturned and for one that was returned, the database was not updated. When the auditors sent\nrosters to a sample of programs for their review, they experienced the same problems that the\nTrust has experienced with its return rate. In fact, the auditors\' return rate of 40 percent was\nsignificantly below the Trust\'s own return rates during the fiscal year of 70 percent and 57\npercent respectively. With the implementation of WBRS, the Reconciliation report generated\nthrough WBRS is the main tool used to compare the data at the program site and the data in the\nTrust\'s database. Though the Corporation agrees that there have been problems with the roster\nconfirmation process (that is why the Reconciliation Report was instituted) we do not agree that\nthis has affected the accuracy of the service award liability.\n\nC. Content of Annual Financial Reports\n\nSummary of Finding:\n\n       The management letter stated that additional improvements should be made to the\ncontent of the Corporation\'s annual financial reports.\n\nCorporation Comments:\n\n         As stated in the Corporation\'s response to this finding in the fiscal 1999 management\nletter, the Corporation recognizes that its financial reports can be improved and reviews the\ncontent of the report each year to identify and make improvements. As more and better\n\x0c                                                                         Appendix B, Continued\n\n\ninformation becomes available the Corporation will continue to revise and refine its financial\nreports. Specific accomplishments in this area follow.\n\nCost Accounting\n\n         During fiscal 2000, the Corporation developed a cost allocation methodology in\nconformance with federal cost accounting standards and integrated with the Corporation\'s\nfinancial management system. Under the methodology costs are distributed in such a manner\nas to allow financial reporting by program area. Once direct costs are assigned, indirect costs\nare allocated based on a systematic and rational basis. In fact, direct and indirect costs related\nto each major program were reported in the fiscal 2000 Annual Report to Congress.\n\nTrust and GiftFinancial Information\n\n         The Corporation fully complied with this finding during fiscal 2000. In the\nCorporation\'s fiscal 2000 Annual Report the Corporation included compact and concise reports\non both the Trust Fund operations and Gift Fund activity, including separate financial\nstatements. The balances presented in these statements were audited but were not included in\nthe "financial statement" section of the Annual Report. The Corporation does not belie1.e t h d r\nplacing the individual statements in the same section as the consolidated financial statements\nfacilitates understanding and analysis of the Trust and Gift Funds\' operations by Congress and\nother financial statement users but will continue to assess and improve the financial statements\'\npresentation.\n\nExpenses bv Maior Proaram\n\n       The Corporation has developed pro forma financial statements that will be populated\nwith data under the cost allocation methodology described above. These statements will be\nsupported by a footnote that presents program costs by major object class, including grants.\n\nFollow OMB "Form and Content" Guidance\n\n        As evidenced by the Corporation\'s financial statements and footnotes for fiscal 2000\nand prior, the Corporation has integrated some of the requirements of OMB 97-01 where it was\ndeemed meaningful to the reader of the financial statements (e.g., footnote disclosures by fund\nfor certain areas such as Fund Balance with Treasury and Net Position).\n\n         FASAB has recently been designated as the standard setting body for GAAP for federal\nentities. The Corporation does not plan to materially alter its financial statement presentation\nuntil FASAB and OMB establish official requirements for reporting by federal corporations,\nu.hich may differ from current 97-01 reporting. However, the Corporation will continue to\nintegrate 97-01 requirements if deemed to enhance reader understanding of the financial\nstatements.\n\x0c                                                                        Appendix B, Continued\n\n\nD. Revenue from Reimbursable Agreements\n\nSummary of Finding:\n\n       The management letter stated that cash receipts were not consistently deposited and\nrecorded in a timely manner; cost share agreements are not consistently established in\nMomentum in a timely manner; demand letters are not consistently sent on delinquent\nreceivables; and the Corporation\'s methodology for aging receivables needs improvement.\n\nCorporation Comments:\n\nCash Recei~ts\n\n        One of 43 cash receipts tested was deposited 13 business days after receipt because the\nService\'s Center\'s collection officer was out sick. The Corporation does not believe this\nconstitutes an internal control weakness. During fiscal 2000, the Corporation continuously\nreemphasized with appropriate supervisory staff the requirement to deposit and record cash\nreceipts in a timely manner. In addition, supervisory staff is to periodically review activity in\nthis area to ensure that this policy is adhered to. The Corporation has made significant\nimprovements in this area, reducing the number of untimely deposits from nine out of 45 tested\nin fiscal 1999 to one out of 43 in fiscal 2000. In addition, the one instance of untimely deposit.\ntotaling $236.82, was a matter of unavoidable circumstance whereby one of the servlce center\nemployees was out sick. A back-up person has been trained to make deposits in the absence of\nthe Collection Officer in order to assure timely deposit.\n\nCost Share Aareements\n\n        The instances where cost share agreements were not recorded prior to their start date\nnoted by the auditors were mainly the result of system implementation and upgrades.\nMomentum was implemented in September 1999; however, final cost share procedures were\nnot disseminated until January 2000. Five of the six exceptions noted by the auditors were for\ncost shares that began during this time period but were not entered until after the final cost\nshare procedures. The main reason for the delay was a backlog of payments and other higher\npriority items. Cost shares starting in the first quarter are not billed until January; therefore,\nthey were a lower priority than invoices that were already due.\n\n       The instances noted by the auditors where budgeted amounts were not re-established In\n.Momentum after year-end are due to the amounts not being entered prior to January when the\nsystem was upgraded. Problems with the cost share module after the initial upgrade prevented\nthe budgeted amounts from being properly entered. This was due to other priorities that took\nprecedence over cost share agreements that are not billed but once a quarter. These agreements\nhave since been entered.\n\x0c                                                                         Appendix B, Continued\n\n\nAccounts Receivable Delinquency\n\n        The Accounts Receivable team already runs monthly reports of all accounts receivable,\nand monitors the status of each receivable. Therefore, the auditor recommendation is already\nstandard procedure. Monthly monitoring of the AR reports includes verifying that an initial\ndemand letter is sent timely, that a debtor file is forwarded to HQ for further collection action,\nand that the debt is sent to Treasury according to federal and Corporation Debt Collection\nregulations. AR staff requests monthly updates from the originating office of each receivable.\nAs noted by the fact that there was only one exception, the monitoring process is working in an\neffective manner.\n\n        In the case of the one exception noted by the auditors, the specific originating office did\nnot respond to repeated update requests &om HQ about whether a demand letter had been\nissued or not. The Corporation has re-emphasized to that specific office the importance of\nreviewing the receivables reports, and the necessity of following debt collection policy timely.\nThe office has recently assigned one individual to be the central contact point with HQ. Thjs\nshould ensure that appropriate action, such as sending a demand letter, will occur on a timely\nbasis.\n\n,4cconnts Receivable Aging\n\n       The Corporation agrees with the need update its policy on aging of cost share accounts\nreceivables and will implement a new policy by December 2001.\n\nE. Information Technology\n\nSummary of Finding:\n\n        The management letter stated that the Corporation had incomplete disaster recovery\nplan testing; an inadequate internal control assessment for Momentum at the National Business\nCenter; a shared Momentum system administration account; and lack of proper access controls\nfor WBRS.\n\nCorporation Comments:\n\nDisaster Recovew Plan\n\n        The Corporation acknowledges that formal testing of the disaster recovery site was not\nconducted. Formal testing was postponed while infrastructure upgrades, which will\ndramatically change the configuration of the site and render any prior testing useless, are being\nperformed. Additionally, the Corporation disagrees with the statements in the audit report that\nthe current plan "cannot be assumed to work" or "provides no more than a false sense of\nsecurity." The disaster recovery site is a hot site that is monitored every minute through\nautomated tools and data is transmitted to the disaster recovery servers daily. The Corporation\nplans to complete all infrastructure upgrades and reconfigure the disaster recovery site before\nthe end of fiscal 2001.\n\x0c                                                                       Appendix B, Continued\n\n\nNational Business Center SAS 70 Reuort\n\n        The Corporation acknowledges that the Department of the Interior, National Business\nCenter (NBC), has yet to conduct a SAS 70 study for the client-server environment that\nMomentum is operating within. NBC has been made fully aware of the importance of\nobtaining a completed study and that the Corporation needs to receive a copy of the completed\nreport. On April 1, 2001, NBC began the SAS 70 control period, which will conclude on\nSeptember 30,2001 and the SAS 70 review is scheduled to begin in October 2001. Because of\nthe timing involved in establishing a control period this is the soonest that a SAS 70 study can\nbegin. In the interim, to assure the Corporation of the protection of its financial data, NBC has\nbeen sharing its backup and disaster recovery plans with the Corporation\'s Office of\nInformation Technology.\n\nMomentum System Administrator Account\n\n       The Corporation agrees with this finding and corrected the problem in February 200 1\n\n.-lccess Controls -for WBRS\n\n        The Corporation agrees with the need for additional access controls and will address\nthese issues with system modifications.\n\nF. Procurement and General Expenditures\n\nSummary of Finding:\n\n         The management letter stated that the Corporation\'s acceptance policy for recording\nliabilities for goods and services received, but not paid at year-end, should be revised and\nduplicate vendor codes should be deleted from Momentum.\n\nCorporation Comments:\n\n.-lcceptance Date\n\n           The management letter recommended that "the Corporation revise its policy to\nmake its official acceptance date the same as the date the goods or services are received." The\nCorporation\'s policy on acceptance is based on federal law. However, the Corporation also\nrecognizes that some employees responsible for completing receipt documents do not\ncompletely understand the difference between receipt and acceptance dates. During fiscal\n2001, the Corporation posted additional guidance on the Intranet and forwarded the information\nto supervisors for distribution in order to reinforce proper procedures.\n\n Vendor Codes\n\n      In the scenario described by the auditors regarding duplicate vendor names, the risk of\nmaking disbursements to the wrong vendor name is not significant. It is a common practice\n\x0c                                                                        Appendix B, Continued\n\n\nwithin government to set up multiple addresses under one vendor code at the request of vendors\nthat have many regional offices. The accounting technicians entering payment documents must\nalways determine the correct address code to use when making a payment. The address code is\na required field within Momentum from the requisition document through to the payment\nvoucher. A disbursement cannot be made based on a vendor code alone. Therefore, although\nin some cases there are numerous address lines set up for one vendor code, the accounting\ntechnician must always lookup the proper line for input. The document will not otherwise\nprocess.\n\n        In the specific instances cited by the auditors, the four duplicate vendor code address\nlines were deactivated prior to identification by the auditors, not subsequent. The auditors\nincorrectly assumed that they were testing from only active vendor codes; when the\nCorporation explained to the auditors that the four codes questioned were deactivated, they\nincorrectly assumed they were deactivated at that point in time. However, the vendor file\ncontains all vendor codes ever populated in Momentum, regardless of current status. These\ncodes must be maintained for historical purposes.\n\n        The Corporation agrees that vendor codes that have not been utilized since conversion\ncan be deactivated and is currently in the process of further analyzing the vendor table in\nMomentum and making changes as needed. In addition, user access to the vendor table is\nbeing limited to specific individuals at each service center and in HQ.\n\nG. Human Resources\n\nSummary of Finding:\n\n       The management letter stated that controls over processing of payroll and maintenance\nof supporting documentation should be improved; some files were incomplete; inaccurate\ninformation is entered into VMS for VISTA members; and approval of federal payroll\nreconciliation is not secured by a cryptography system.\n\nCorporation Comments:\n\nPavroll Processing Controls\n\n       The Corporation followed up the instances where the audit finding indicated that there\nmere errors made in payroll deductions. The review disclosed that no errors were made and the\nprocess is working correctly. The Corporation will re-emphasize the need to keep signed\ncopies of training documents in the files.\n\nNCCC .Member .4~plicationFiles\n\n        The files referred to in this finding are not payroll files and have no bearing on the\namounts paid to NCCC members. However, the Corporation agrees that in several instances\nthe files were incomplete and will re-emphasize the need to ensure that files are complete.\n\x0c                                                                        Appendix B, Continued\n\n\n\n\n        An independent review is already performed of the stipend payments made to\ncorpsmembers each pay period. Of the two errors cited in the audit, one was a shortfall of one\nday\'s payment to a corpsmember. The other instances cited was not an error but in fact was an\nintentional overpayment required for a corpsmember who had been given team leader duties\nover the summer but had only been compensated at the corpsmember rate. When the\nunderpayment was discovered the additional pay was sent to him, which is why it appears to be\nan overpayment for that pay period.\n\n        The audit also identifies four corpsmembers who were paid in the second pay period\nrather than the first pay period for the year they started. These corpsmembers\' names were not\nforwarded to the payroll-input technician in time because they were last minute additions. An\nadditional review of the payroll input technician\'s work would not reveal this condition.\nHowever, the Corporation plans to have the input technician contact each campus during the\nfirst week of each class to identify any late additions to classes. This should prevent this from\nreoccumng in the future.\n\nC71ST.-t.l/lernber Files\n\n        The Corporation will need to review the auditor\'s working papers and evidence\nsupporting their conclusions to analyze the exceptions noted because the Corporation\'s review\nof the files tested by the auditors does not agree with the results reported in the management\nletter. However, in the interim, the Corporation will reemphasize the importance of\nmaintaining accurate and complete VISTA member files.\n\nVMS Data Entw\n\n       Within the past two months, State Program Assistants, the individuals primarily\nresponsible for VMS data entry, participated in SPAN training. This training focused on the\nimportance of accurate data. The Corporation believes that this additional training will result\nin improved data entry. The Corporation will continue to monitor data entry to assure that\naccurate data is entered into the system in a timely manner.\n\nPa\\,roll Reconciliation Auuroval\n\n        The PC-TARE payroll reconciliation does not contain sensitive information requiring\nthe security afforded by a true electronic signature, i.e., one containing a cryptographic\nalgorithm. Nonetheless, the Personnel Management Specialist has been instructed to eliminate\nthe use of his scanned-in signature and to affix his original signature on future forms.\n\nH.       Position\n\nSummary of Finding:\n\n       The management letter stated that 7 of the 79 items selected should have been\ndeobligated at year-end.\n\x0c                                                                         Appendix B, Continued\n\n\n\nCorporation Comments:\n\n        The amount in question in this finding is $362,82 1, or .06 (less than one) percent, of\ntotal obligations and does not have an impact on Corporation obligations as stated in the\nfinding. In the related Notification of Findings and Recommendations, the auditors state that\nthe effect is that "the Corporation may be unaware of available balances that could be used to\nfund other activities." Approximately $350,000, or 96 percent, of the amount relates to grants\nthat were issued in fiscal 1998 and prior. The obligations set aside for these grants (grant\naward) were not fully used by the grantee. However, the grantee has use of these funds for the\nentire grant period. Thus, once a grant period has expired, the grant funds, which are only\navailable for obligation for periods up to two years, have also expired. These h n d s cannot be\n"used to fund other activities."\n\n        The Corporation has acknowledged that it has been delinquent in prior years in timely\ncloseout of grants; however, there is an initiative currently underway to improve upon grant\ncloseout. Grant closeout was already addressed in the report on internal controls as part of the\ngrants management weakness. In any case, the lack of use of grant funds awarded to a\nparticular grantee does not allow the Corporation to utilize these funds elsewhere after a grant\nperiod, and the period of funds availability, has expired. There is little chance of being able to\nreobligate these funds once the grant period and a six-month closeout period has passed;\ngenerally the period for obligation allowed by law will have passed, causing the funds to\nautomatically expire.\n\ncc: Wendy Zenker\n    Phyllis Beaulieu\n    Charlene Dunn\n    Julia Fisher\n    Peg Rosenberry\n    Dave Rymph\n    Dave Spevacek\n    Bob Torvestad\n    Simon Woodard\n    Gerry Yetter\n    Teny Bathen\n    Karyn Molnar\n\x0c'